Title: Security and privacy in mobile environments
Language: English
Authors: Merzdovnik, Georg 
Qualification level: Doctoral
Keywords: Security; Privacy; Network Security; Mobile Operating Systems; Android; TLS; Certificate Pinning
Advisor: Weippl, Edgar R.
Issue Date: 2017
Number of Pages: 141
Qualification level: Doctoral
The number of smartphones is constantly increasing and they have become a central part of our lives. A big role for their success is the large number of available applications. While these applications open up a lot of opportunities for their users, they can also pose risks. With the amount of available applications, it is inevitable that they also include bad quality software. While these applications may not pose a direct risk to the device itself, many of them are communicating to some kind of back-end server on the internet. Furthermore, "free" applications often include some kind of advertisement, which needs to be loaded from a server again. We analyze the existing ecosystem of third party tracking in web and mobile applications and evaluate defenses according to their effectiveness in blocking tracking efforts. We show that there is still a lot of information transmitted in clear text, without the use of Transport Layer Security. In addition, even when TLS is used, this tracking information can still be used by attackers for certain kind of attacks. Based on our findings, we propose different approaches to protect user privacy and security. Specifically, we explore notary-based validation schemes for certificate validation and provide a longitudinal study of certificate validation capabilities of available notary services. Mobile apps already employ certificate pinning to prevent interception attacks. However, the application still needs to be updated when the corresponding certificate changes. We therefore provide an on-device certificate pinning solution, which utilizes notary services to update pinned certificates automatically and transparently for the user. Finally, we evaluate existing Android malware analysis platforms and provide metrics on the effectiveness and inter-dependencies of these services. This allows security analysts to select the best fitting system or subset of systems to accomplish their analysis task.
URI: https://resolver.obvsg.at/urn:nbn:at:at-ubtuw:1-101490
Library ID: AC13773886
Organisation: E188 - Institut für Softwaretechnik und Interaktive Systeme 
Publication Type: Thesis
Appears in Collections:Thesis

Files in this item:

File Description SizeFormat
Security and privacy in mobile environments.pdf2.6 MBAdobe PDFThumbnail
Show full item record

Page view(s)

checked on Feb 21, 2021


checked on Feb 21, 2021

Google ScholarTM


Items in reposiTUm are protected by copyright, with all rights reserved, unless otherwise indicated.